Long story short, there is an acceptable method of session establishment that goes something like this:

SYN ->

Or, as I call it, the 4-way handshake. In Tod's testing, he found that this connection method worked on Ubuntu, OSX and Windows XP. This essentially reverses the flow of the connection establishment, but functionally does not change how data is transfered. We caught the link to this on Twitter, and scheduled some testing time. But we got tied up, and the folks over at Malware Forge posted their research:

Using some Python-fu, they found that it was possible to bypass Snort detection when a malicious server was modified to accept incoming sessions using the simultaneous connection method. The VRT verified this and worked on narrowing down the root cause, and then kicked it over to the dev team.

Enter Russ Combs, stream reassembly guru here at Sourcefire. He told us that Snort had a configuration option that would ensure that the four-way handshake didn’t impact the Stream5 preprocessor’s ability to correctly tag a stream and the subsequent direction of traffic.

The modification is to add the following value to your "preprocessor stream5_tcp:" line: require_3whs

To be clear, in the testing I'm going to show below, here are my values:

In this case, we only alerted on the standard content match without flow enforcement. This indicates that stream5 has incorrectly interpreted the stream. Remember that both the flow keywords, as well as the http_method modifier require stream5 to have properly marked a stream in order to function.

We now correctly alert on checks in both the http_inspect preprocessor and the flow direction. So, if you’re concerned about this evasion case, make the appropriate modifications, and then get to testing.

2 comments:

Matt -- If I understand the post correctly, when a session is created using the "four way handshake", the stream preproc will not be able to handle it correctly unless the require_3whs option is enabled. Is that correct? Is there any negative effect by adding this option (e.g: certain legitimate sessions ignored) or is this something that we should all definitely add to our stream5 configuration as it only enhances detection. Thanks!